DOC-3498: tinymceai on-premises documentation by kemister85 · Pull Request #4142 · tinymce/tinymce-docs

kemister85 · 2026-05-18T04:34:27Z

Ticket

Summary

Complete on-premises deployment documentation for the TinyMCE AI service, cherry-picked from feature/8.6.0/DOC-3401_DOC-3498 (#4137) and retargeted to tinymce/8 for independent merge.

New pages (10)

Page	Scope
Overview	Architecture, capabilities, prerequisites, setup paths, and support
Getting started	Five-minute Docker Compose quick start with end-to-end smoke test
Database, Redis, and storage	MySQL/PostgreSQL setup, Redis configuration, container runtimes, and managed cloud options
LLM providers	OpenAI, Anthropic, Google Gemini, Azure OpenAI, AWS Bedrock, Google Vertex AI, and self-hosted endpoints
JWT authentication	HS256 signing model, claims, permissions reference, and token endpoint examples in 8 languages
TinyMCE integration	Editor-side configuration, token provider, CORS, CSP, and SSR patterns
Production deployment	Podman, Kubernetes, AWS ECS, scaling, security hardening, observability, rate limiting, backup/recovery, and sizing
Advanced scenarios	MCP integration, web scraping/search, multi-tenant patterns, custom models with guardrails, and AI-powered document pipelines
Troubleshooting	Quick triage, container startup, JWT, LLM provider, editor, and performance diagnostics
Reference	Environment variables, API endpoints, SSE events, error codes, and known limits

Assets

Include new Mermaid .mmd source files with pre-rendered .svg diagrams
Render script at -scripts/render-mermaid.sh
All diagrams set to width=100% for responsive scaling

Navigation

nav.adoc updated with a new "On-premises deployment" section containing all 10 pages in logical reading order.

Review feedback addressed

All review comments from PR #4137 have been incorporated, including:

Generalized overview for standalone API use (not just TinyMCE)
Simplified architecture diagram on overview; detailed version moved to production page
Redis Sentinel marked as not supported
"Framework integration" renamed to "TinyMCE integration"
License key reference for on-premises deployments
LLM provider wording corrected (native vs OpenAI-compatible)
Troubleshooting flowchart replaced with triage list
Docker image name updated to `ai-service-tiny` per confirmed registry URL

Pre-checks

Branch prefixed with `hotfix/8/`
`modules/ROOT/nav.adoc` has been updated
Local build passes with no new errors
Documentation Team Lead has reviewed

Add missing customer-facing content identified by comparing the original internal documentation against the current on-premises AsciiDoc pages: capabilities matrix on the overview page, Podman production runbook, performance characteristics table, expanded known limits reference, MySQL 8.4 caveat, Ollama systemd and Modelfile examples, and getting-started teardown and config update guidance.

Expand 18 acronyms (OCI, JWT, LLM, SSE, TLS, CORS, MCP, NTP, HPA, OTLP, IRSA, ADC, SSR, CSP, SIEM, PII, HA, mTLS) on first prose occurrence per page for readers unfamiliar with the terms.

Reduce edge clutter by connecting a single representative replica to downstream services and grouping the data layer into a subgraph. Fix SVG width to use a fixed pixel value consistent with other diagrams in the set.

- Generalize overview page for standalone API use, not just TinyMCE - Swap complex architecture diagram for simplified overview diagram - Move detailed enterprise topology to production page (collapsible) - Fix capabilities table: chat, document review, file attachments, scaling - Redis: mark Sentinel as not supported - Remove TinyMCE 8.0+ from prerequisites (not required for API-only) - Reverse proxy changed from required to recommended - Fix decision tree cross-references (Section 33 -> guide names) - Replace troubleshooting flowchart with ordered triage list - Rename "Framework integration" to "TinyMCE integration" across all refs - Fix API key reference for on-prem (license key or API key) - Reorder support section docker commands for logical flow - Make MCP diagram arrows bidirectional - LLM providers: clarify native vs OpenAI-compatible providers - Re-render all mermaid diagrams

Registry URL confirmed as registry.containers.tiny.cloud/ai-service-tiny.

- Soften privacy claim to clarify LLM provider data handling - Reword data flow steps (JWT, prompt phrasing) - Clarify setup path section and topic guide introduction - Remove orphan diagrams (troubleshooting-fig-1, complete-guide-fig-9) - Remove "Must include" from plugins table, fix troubleshooting wording - Replace MySQL 8.4 references with "the latest MySQL" across all pages - Add provenance NOTE to performance characteristics - Consolidate production page diagrams (promote complete-guide-fig-1) - Improve overview and providers diagram layouts (LR, spacing) - Move provider examples out of collapsible block for visibility

Remove Performance characteristics and Sizing guide from the production page until engineering provides verified data.

Fix Redis Sentinel contradiction, add terminationGracePeriodSeconds and PDB to K8s manifest, add S3 credentials and topology spread, bootstrap step after Service manifest, HPA I/O-bound caveat, managed database TLS section, Docker network resolution for Compose v2, MODELS requirement clarification, and assorted cross-links and callouts identified during the independent evaluation audit.

…back - Add Credentials table and OpenAPI capability to Overview - Expand CORS section with format, wildcards, preflight, common mistakes - Add production readiness checklist and prerequisite statement - Document agent-1 default model behavior on Providers page - Add MODELS and secrets to ECS task definition example - Document IAM/IRSA limitation across all deployment targets - Trim rate limiting, distributed logging, PDB, topology to one-liners - Remove marketing sections from Advanced (guardrails, document pipeline) - Label install commands in JWT examples for clarity - Address reviewer feedback on Getting Started clarity and formatting

- Fix "On-Premise" to "on-premises" in page titles - Update Advanced description to match trimmed content - Add external links: K8s Secrets, Ingress, HPA, KEDA, OTLP, nginx - Replace jargon ("upstream", "definitive") with neutral phrasing - Normalize xref capitalization to sentence case - Replace "ensure" with direct imperatives per style guide

Move MCP and web scraping/search content to a dedicated child page (tinymceai-on-premises-mcp.adoc) under LLM providers. Move multi-tenant deployment content into the JWT authentication page. Delete the catch-all Advanced scenarios page and update all cross-references and nav accordingly.

- Getting Started: add ALLOWED_ORIGINS, fix CORS blocker, mark TINYMCE_API_KEY required for CDN demo, fix NOTE inside bash block, un-collapse launch script, add prerequisites section - Production: add missing storage secret keys to K8s Secret, add ALLOWED_ORIGINS to K8s and ECS, align HPA minReplicas, add ECS startPeriod, label Podman as eval-only storage - JWT: fix aud description, fix sanity-check port, coerce sub to String - Frameworks: add React, Vue, Angular minimal examples - Database: add AI service connection env vars section - MCP: label Express example as illustrative - Overview: add MCP to topic guides table

- Add deployment architecture diagram (overview-fig-2.svg) to Overview - Add "where this fits" introductory context to Database, Providers, JWT, and Frameworks pages linking to overall deployment flow - Un-nest MCP page to same nav level as other on-prem pages - Add Step 1/2/3 subheadings to Getting Started verification section - Remove raw Management API reference from Getting Started - Restructure Database version pinning into neutral parent section - Fix "two layers" to "three layers" matching the diagram - Address metricjs PR feedback: hyphens, TLS note, Redis wording, schema note ordering, conditions-first, section explanations

Add theme config with 14px font and wider node spacing, shorten truncated model names, use uniform arrow weight throughout, and fix SVG width to 1200px.

Un-collapse fields table and Ollama networking into visible sections, remove duplicated LLM_TIMEOUT_MS, consolidate vLLM and LM Studio into a comparison table, fix Verify to hit the AI service endpoint, and add a "when to use" introductory sentence.

Replace em dashes and double hyphens with colons in label:description list patterns across all on-premises pages. Normalize bold formatting to single-asterisk emphasis for consistency.

- Reorder nav: MCP moved after TinyMCE Integration, marked optional - Un-collapse token server, K8s manifest, and MySQL compose file - Add "Next steps" section to Getting Started bridging to production - Replace dynamic launch script with static docker run + TIP - Add expected boot log after docker run - Promote prerequisites to "Before you begin" with verification commands - Add complete docker run reference to Reference page - Add numbered steps (1-5) to Production K8s section - Standardize placeholders to <kebab-case> format across all pages - Condense agent-1 explanation on Providers page - Remove raw management API reference from Production page

tiny-ben-tran · 2026-05-20T01:35:42Z

@@ -0,0 +1,14 @@
+flowchart LR


hmmm... the output looks the same as modules/ROOT/images/tinymceai-on-premises/advanced-scenarios-fig-2.svg

tiny-ben-tran · 2026-05-20T01:37:50Z

+* A token endpoint exists that signs JSON Web Tokens (JWTs) for the AI service. See xref:tinymceai-on-premises-jwt.adoc[JWT authentication] for back-end implementations.
+* A valid TinyMCE license key or API key with the AI feature enabled. On-premises deployments typically use a license key provided by a Tiny account representative.
+
+For general framework setup (installing wrappers, component structure, server-side rendering (SSR) patterns), see the existing integration guides:


Suggested change

For general framework setup (installing wrappers, component structure, server-side rendering (SSR) patterns), see the existing integration guides:

For general framework setup (installing wrappers, component structure), see the existing integration guides:

tiny-ben-tran · 2026-05-21T00:57:25Z

+
+
+
+== Editor-side token provider


Suggested change

== Editor-side token provider

== Editor-side configuration

tiny-ben-tran · 2026-05-22T05:45:52Z

@@ -0,0 +1,23 @@
+%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#ECECFF', 'primaryBorderColor': '#9370DB', 'lineColor': '#333333', 'edgeLabelBackground': '#e8e8e8', 'fontSize': '16px' }, 'flowchart': { 'nodeSpacing': 40, 'rankSpacing': 80 }}}%%


Can a dotted box be added to clearly indicate client layer and application layer?

tiny-ben-tran · 2026-05-22T05:50:58Z

+
+=== Data flow
+
+Data flow for a single AI request:


Suggested change

Data flow for a single AI request:

AI Request Flow

tiny-ben-tran · 2026-05-22T05:57:35Z

+. The AI service verifies the token, checks per-feature permissions, and forwards the prompt to the configured large language model (LLM).
+. The LLM streams its response back to the AI service.
+. The AI service relays the response to the client through Server-Sent Events (SSE).


So the AI services are just a gate keeper that validates permissions and forwards prompts to a LLM? I believe it could be re-worded to be simpler

tiny-ben-tran · 2026-05-22T06:10:30Z

+
+When used with TinyMCE `tinymceai`, the plugin handles steps 1, 2, and 5 automatically through the `tinymceai_token_provider` callback.
+
+IMPORTANT: The browser connects directly to the AI service — requests do not pass through the application back end. The AI service must be network-reachable from the end-user browser, which means it must have a public URL (or be accessible through a VPN/internal network when deployed on an intranet). Configure xref:tinymceai-on-premises-frameworks.adoc#_cross_origin_requests_to_the_ai_service[CORS] and xref:tinymceai-on-premises-production.adoc#_tls_https[TLS] on the AI service accordingly.


Maybe just a note instead of important mark

tiny-ben-tran · 2026-05-22T06:16:12Z

+
+IMPORTANT: The browser connects directly to the AI service — requests do not pass through the application back end. The AI service must be network-reachable from the end-user browser, which means it must have a public URL (or be accessible through a VPN/internal network when deployed on an intranet). Configure xref:tinymceai-on-premises-frameworks.adoc#_cross_origin_requests_to_the_ai_service[CORS] and xref:tinymceai-on-premises-production.adoc#_tls_https[TLS] on the AI service accordingly.
+
+The shared secret (API Secret) never leaves the back end; the editor and the AI service only ever see signed tokens.


I believe that the secret never leaves the AI service Docker container.

tiny-ben-tran · 2026-05-22T06:18:59Z

+|Only for self-hosted editor deployments. Provided by the Tiny account representative.
+|===
+
+NOTE: `LICENSE_KEY` (the AI service license) and `TINYMCE_API_KEY` / `license_key` (the editor license) are different credentials from different sources. Do not interchange them.


Suggested change

NOTE: `LICENSE_KEY` (the AI service license) and `TINYMCE_API_KEY` / `license_key` (the editor license) are different credentials from different sources. Do not interchange them.

NOTE: `LICENSE_KEY` (the AI service license) and `TINYMCE_API_KEY` / `license_key` (the editor license) are different credentials from different sources. They are not interchangable.

tiny-ben-tran · 2026-05-22T06:22:46Z

+[.text-center]
+image::tinymceai-on-premises/complete-guide-fig-2.svg[Setup path decision tree,width=100%]
+
+== Topic guides


Do the topics mean to match each path on the flow chart?

ShiridiGandham · 2026-05-23T23:50:03Z

+* A TinyMCE license key and container registry credentials (from the Tiny account representative)
+* At least one LLM provider API key (OpenAI, Anthropic, or Google)
+
+== Five-minute demo with Docker Compose


Suggested change

== Five-minute demo with Docker Compose

== Quick demo with Docker Compose

kemister85 added 5 commits May 18, 2026 14:31

DOC-3498: tinymceai on-prem documentation.

3ca63c6

DOC-3498: Expand acronyms on first prose use across on-premises pages

deae589

Expand 18 acronyms (OCI, JWT, LLM, SSE, TLS, CORS, MCP, NTP, HPA, OTLP, IRSA, ADC, SSR, CSP, SIEM, PII, HA, mTLS) on first prose occurrence per page for readers unfamiliar with the terms.

DOC-3498: Clean up architecture overview diagram

3bb5069

Reduce edge clutter by connecting a single representative replica to downstream services and grouping the data layer into a subgraph. Fix SVG width to use a fixed pixel value consistent with other diagrams in the set.

kemister85 requested review from a team and soritaheng as code owners May 18, 2026 04:34

kemister85 requested review from EkimChau, MitchC1999 and tiny-ben-tran May 18, 2026 04:34

DOC-3498: Update Docker image name to ai-service-tiny

260ed25

Registry URL confirmed as registry.containers.tiny.cloud/ai-service-tiny.

kemister85 force-pushed the hotfix/8/DOC-3498 branch from a80cb4c to 260ed25 Compare May 18, 2026 04:37

kemister85 mentioned this pull request May 18, 2026

DOC-3498: tinymceai on-prem documentation. (Closing) #4137

Closed

5 tasks

kemister85 added 4 commits May 19, 2026 13:36

DOC-3498: Remove internal testing reference from performance note

84caab2

DOC-3498: Remove unverified performance and sizing sections

21c8452

Remove Performance characteristics and Sizing guide from the production page until engineering provides verified data.

DOC-3498: Remove redundant [arabic] list style attributes

cf8b90f

kemister85 requested review from ArvinJ-H, ShiridiGandham, frossi933, hamza0867, metricjs and tjdett May 19, 2026 05:05

metricjs reviewed May 20, 2026

View reviewed changes

Comment thread modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc Outdated

metricjs reviewed May 20, 2026

View reviewed changes

Comment thread modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc Outdated

metricjs reviewed May 20, 2026

View reviewed changes

Comment thread modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc

metricjs reviewed May 20, 2026

View reviewed changes

Comment thread modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc Outdated

metricjs reviewed May 20, 2026

View reviewed changes

Comment thread modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc Outdated

metricjs reviewed May 20, 2026

View reviewed changes

Comment thread modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc Outdated

metricjs reviewed May 20, 2026

View reviewed changes

Comment thread modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc Outdated

metricjs reviewed May 20, 2026

View reviewed changes

Comment thread modules/ROOT/pages/tinymceai-on-premises-getting-started.adoc Outdated

kemister85 added 4 commits May 20, 2026 21:34